What Do Hackers Want from Professional Sports Teams?

By Mike Patterson, Vice President of Strategy, Rook Security

Recently, the Milwaukee Bucks basketball organization went public with a successful W-2 phishing attack that targeted its players and employees. While this is probably not the first attack of its kind, it is a new known data point in attacks against sports teams. In 2015, incidents targeted baseball player scouting data (involving the St. Louis Cardinals and the Houston Astros), and the bloodwork of Tour De France champion Chris Froome from Team Sky.

It appears that now someone has finally realized most team employees are millionaires and may be worth targeting for profit. It’s highly unlikely that hackers are getting bored with banks and hospitals and are now turning their focus to sports—but it’s far more likely these attacks have been underway for some time and are only now making the news.

No offense to the Bucks franchise or its loyal fans, but if I were targeting sports franchises, the Bucks would not be at the top of my list. While the NBA has the highest average player salary of all professional sports leagues, the Milwaukee Bucks rank only 18 out of 30 in total team salary according to HoopsHype. Looking at the top 100 highest-paid players in the league, the Bucks have just two (who come in at 31st and 86th). And while the Bucks have a promising and talented young roster, their last all-star was Michael Redd in 2004 and their last NBA championship was in 1971.

Where am I going with this?

Unless the hacker behind this attack is just a huge Bucks fan and wants to know Jabari Parker’s home address and take-home pay, it’s unfathomable a wave in attacks would start with the Bucks and not the Golden State Warriors, defending NBA champions and arguably the league’s most popular team or the Cleveland Cavaliers, Lebron James’ team and that with the highest average salary. Any other team with a higher concentration of wealth, star power or recent team success would make a better target.

It’s far more likely that an attack against the Bucks means that an operation targeting NBA player 2015 W-2’s is just about over—and another league’s players are the next targets.

Other NBA teams and other professional sports leagues would be wise to take a hard look at their security posture and at recent suspicious activity, including any phishing attempts against their players, employees and any data they retain on their fan base. This of course is all on top of watching for attacks on their player evaluation systems, email correspondence, team finances, player health, free agency and draft plans, and beyond.

Professional teams employ dozens of stadium security personnel to ensure player and fan safety during games. It’s time to start deploying appropriate resources on the IT side so that all stakeholders are safe once the final whistle has been blown on the field of play.

Mike Patterson is Vice President of Strategy, Rook Security, a global IT security solutions provider.